2022-02-18 20:31:01 +03:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
...
|
|
|
|
}:
|
|
|
|
with lib; let
|
2021-05-03 09:19:54 +03:00
|
|
|
inherit (builtins) readFile fetchurl;
|
|
|
|
cfg = config.security.mitigations;
|
2022-02-18 20:31:01 +03:00
|
|
|
cmdline =
|
|
|
|
''
|
|
|
|
ibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off'';
|
|
|
|
in {
|
2021-05-03 09:19:54 +03:00
|
|
|
options = {
|
2022-02-18 20:31:01 +03:00
|
|
|
security.mitigations.disable =
|
|
|
|
mkOption
|
|
|
|
{
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description =
|
|
|
|
''
|
|
|
|
Whether to disable spectre and meltdown mitigations in the kernel. Do
|
|
|
|
not use this in mission critical deployments, or on any machine you do
|
|
|
|
not have physical access to.
|
|
|
|
'';
|
|
|
|
};
|
2021-05-03 09:19:54 +03:00
|
|
|
};
|
2022-02-18 20:31:01 +03:00
|
|
|
config = mkIf cfg.disable { boot.kernelParams = splitString " " cmdline; };
|
2021-05-03 09:19:54 +03:00
|
|
|
}
|